Visa cards violated: BofA is reissuing after hack attack

April 16, 2004

By Jay Fitzgerald, Boston Herald

Holders of Fleet Visa business credit cards may be the latest victims of hackers who possibly got hold of sensitive card numbers via a merchant's computer system, officials acknowledged yesterday.

Fleet Credit Card Services, now part of Bank of America [BAC: chart, news] Corp. after this month's takeover of FleetBoston Financial Corp. [FBF: chart, news] , is sending new cards to an unspecified number of customers because of a security breach at an unnamed merchant.

Deborah Pulver, the spokeswoman, wouldn't say how many customers will get new cards and account numbers.

``It's a very small portion of our business accounts,'' she said. ``There was some type of compromise'' apparently tied to Visa.

In a statement to the Herald yesterday, Visa USA confirmed that it was ``recently notified by a U.S. merchant that it may have experienced a data security breach resulting in the compromise of Visa card account information.'' A Visa spokesman would not elaborate.

Officials declined to say if the latest incident is tied to a recent theft of credit card numbers at Natick-based BJ's Wholesale Club Inc. On March 12, BJ's warned that a ``few hundred'' of its 8 million members had their credit card numbers stolen in a possible systems breach.

Citizens Bank, Washington Trust Bancorp, of Rhode Island, and Navy Federal Credit Union in Virginia were among the firms that issued new credit cards and account numbers after BJ's disclosure.

Amy Russ, a BJ's spokeswoman, said yesterday that she couldn't comment on the matter.

Douglas Devitt, a co-owner of Voyager Sound Inc., a Weston software developer, said he recently got a letter, dated April 9, from Fleet saying his Fleet Platinum Visa business card account may have been one of those obtained by an ``unauthorized party.'' The letter stresses that there's no actual sign of ``fraudulent activity'' in the account, but that the card would be replaced anyway.

Devitt said he's a member of BJ's, but had never used that specific Fleet card at BJ's. About a month ago, he said, Fleet issued him a new business credit card due to a possibly unrelated fraud case in which his account was improperly charged $1,200.

Now Fleet is replacing his card for the second time in a month, he said. ``I'm just glad someone is watching out'' for his interests, he said.

Devitt said he talked to one person at Fleet who told him that the latest incident involved ``Nigerian mafia'' hackers. But Fleet's Pulver said there was no Nigerian connection to her knowledge.

Richard Smith, an Internet security consultant in Brookline, said he knows no details about the BJ's and Fleet incidents.

But he said merchants in general are often the ``weak link'' in the credit-card security system. ``The credit-card system has many players involved,'' he said, noting there have been infamous cases of Russian and Eastern European hackers stealing U.S. credit card numbers.

main page ATTRITION feedback